Secure group creation in proximity based service communication

ABSTRACT

A method of forming a secure group in ProSe communication includes requesting a service request to a ProSe server from a requesting device ( 21 ), the service request indicating a request to communicate with a receiving device ( 22 ) from the requesting device ( 21 ), performing verification on the requesting and receiving devices ( 21 ) and ( 22 ) by the ProSe server  24 , sending a ProSe Service Result to the requesting and receiving devices ( 21 ) and ( 22 ) to inform to be allowed a group member, and starting a group security establishment of the group including the requesting and receiving devices ( 21 ) and ( 22 )

CROSS-REFERENCE TO RELATED APPLICATIONS

The present application is a continuation of U.S. patent applicationSer. No. 15/655,179 entitled “Secure Group Creation In Proximity BasedService Communication,” filed on Jul. 20, 2017, which is a continuationof U.S. patent application Ser. No. 14/900,006 entitled “Secure GroupCreation in Proximity Based Service Communication,” filed on Dec. 18,2015, which is a national stage application of International ApplicationNo. PCT/JP2014/003166, filed on Jun. 13, 2014, which claims the benefitof priority from Japanese Patent Application No. JP2013-137291, filed onJun. 28, 2013, the disclosures of each of which are incorporated hereinin their entirety by reference thereto.

TECHNICAL FIELD

This invention relates to a secure system and a method of forming asecure group, and more specifically, to a secure system that provides amethod of forming a secure group in Proximity based Service (ProSe)communication.

BACKGROUND ART

3GPP (3rd Generation Partnership Project) has started to study Proximitybased Services (ProSe) for both commercial and public safety uses. 3GPPSA1 (Services Working Group) has initiated some security requirementsfor secure communication, UE (User Equipment) identity, and privacyprotection.

ProSe represents a recent and enormous socio-technological trend. Theprinciple of these applications is to discover instances of theapplications running in devices that are within proximity of each other,and ultimately to also exchange application-related data. In parallel tothis, there is interest in proximity-based discovery and communicationsin the public safety community.

ProSe communication can provide services to the UEs in proximity via aneNB (Evolved Node B) or without the eNB. The SA1 requires that the ProSeservice be provided to UEs with or without network coverage. The UEs candiscover other nearby UEs or be discovered by other UEs, and they cancommunicate with each other. Some use cases can be found in NPL 1. TheProSe server is a network element as agreed in 3GPP SA2#97 to NPL 2.

CITATION LIST Non Patent Literature

-   NPL 1: 3GPP TR 22.803 Feasibility study for Proximity Services    (ProSe), (Release 12)-   NPL 2: 3GPP TR 23.703 Study on architecture enhancements to support    Proximity Services (ProSe) (Release 12)

SUMMARY OF INVENTION Technical Problem

However, despite the security issues involving authorization as well asprivacy issues, 3GPP SA3 offers no security solution.

Solution to Problem

The present invention has been made to present an overall securitysolution for the above-mentioned security issues.

In one embodiment, there is provided a method of forming a secure groupin Proximity based Service (ProSe) communication by a requesting devicewhich requests a communication and a receiving device which receives acommunication request from the requesting device, wherein the requestingand receiving devices have subscribed ProSe service, the methodincluding requesting a service request to a ProSe server from therequesting device, the service request indicating a request tocommunicate with the receiving device from the requesting device,performing verification on the requesting and receiving devices by theProSe server, sending a ProSe Service result to the requesting andreceiving devices to inform to be allowed a group member, and starting agroup security establishment of the group including the requesting andreceiving devices.

In another embodiment, there is provided a secure system including aplurality of User Equipments (UEs) and a Proximity based Service (ProSe)server, including a requesting device which requests a communication;and a receiving device which receives a communication request from therequesting device. The requesting device and the receiving device havesubscribed ProSe service. The requesting device requests a servicerequest to the ProSe server, the service request indicating a request tocommunicate with the receiving device from the requesting device. TheProSe server performs verification on the requesting and receivingdevices. The ProSe server sends a ProSe Service result to the requestingand receiving devices to inform to be allowed a group member. Therequesting and receiving devices start a group security establishment ofthe group including the requesting and receiving devices.

Advantageous Effects of Invention

A secure system and a method of forming a secure group in Proximitybased Service (ProSe) communication can present solutions for securityissues.

BRIEF DESCRIPTION OF DRAWINGS

The above and other objects, advantages and features of the presentinvention will be more apparent from the following description ofcertain preferred embodiments taken in conjunction with the accompanyingdrawings, in which:

FIG. 1A is a schematic view showing the ProSe Communication scenario inNPL 1;

FIG. 1B is a schematic view showing the ProSe Communication scenario inNPL 1;

FIG. 2 is a schematic view showing an example of the systems whichprovide a method of making a secure communication according to anexemplary embodiment of the present invention;

FIG. 3 is a schematic view showing a secure system of an exemplaryembodiment of the present invention;

FIG. 4 is a sequence diagram explaining a method of making a securecommunication of an exemplary embodiment of the invention;

FIG. 5A is a schematic view showing a One-to-one session;

FIG. 5B is a schematic view showing a One-to-many session; and

FIG. 5C is a schematic view showing a Many-to-many session.

FIG. 6 is a flow chart showing a method of performing the groupmanagement of a case 1C of an exemplary embodiment.

DESCRIPTION OF EMBODIMENTS

For purposes of the description hereinafter, the terms “upper”, “lower”,“right”, “left”, “vertical”, “horizontal”, “top”, “bottom”, “lateral”,“longitudinal”, and derivatives thereof shall relate to the invention asit is oriented in the drawing figures. However, it is to be understoodthat the invention may assume alternative variations and step sequences,except where expressly specified to the contrary. It is also to beunderstood that the specific devices and processes illustrated in theattached drawings, and described in the following specification, aresimply exemplary embodiments of the invention. Hence, specificdimensions and other physical characteristics related to exemplaryembodiments disclosed herein are not to be considered as limiting.

In the exemplary embodiments, though the security solutions with a focuson specifically direct communication, discovery, and communication willbe explained, the solutions can be applied to other communications aswell.

Firstly, definitions given in 3GPP TR 21.905: “Vocabulary for 3GPPSpecifications” will be explained.

ProSe Direct Communication:

A communication between two or more UEs in proximity that areProSe-enabled, by means of user plane transmission using E-UTRANtechnology via a path not traversing any network node.

ProSe-Enabled UE:

A UE that supports ProSe requirements and associated procedures. Unlessexplicitly stated otherwise, a Prose-enabled UE refers both to anon-public safety UE and a public safety UE.

ProSe-Enabled Public Safety UE:

A ProSe-enabled UE that also supports ProSe procedures and capabilitiesspecific to Public Safety.

ProSe-Enabled Non-Public Safety UE:

A UE that supports ProSe procedures but not capabilities specific topublic safety.

ProSe Direct Discovery:

A procedure employed by a ProSe-enabled UE to discover otherProSe-enabled UEs in its vicinity by using only the capabilities of thetwo UEs with rel.12 E-UTRAN technology.

EPC-Level ProSe Discovery:

a process by which the EPC determines the proximity of two ProSe-enabledUEs and informs them of their proximity.

FIGS. 1A and 1B are schematic views showing the ProSe Communicationscenarios in NPL 1. When a UE 11 and a UE 12 which are involved in theProSe Communication are served by the same eNB 19 and network coverageis available, a system 100 a can decide to perform ProSe Communicationusing control information exchanged between the UEs 11, 12, eNB 19 andan EPC (Evolved Packet Core) 14 (e.g., session management,authorization, security) as shown by the solid arrows in FIG. 1A. Forcharging, modifications should be minimized with respect to the existingarchitecture. The UEs 11 and 12 can in addition exchange controlsignaling via the ProSe Communication path as shown by the dashed arrowin FIG. 1A.

When the UEs 11 and 12 involved in the ProSe Communication are served bydifferent eNBs 19, 20 and network coverage is available, a system 100 bcan decide to perform ProSe Communication using control informationexchanged between the UEs 11, 12, eNB 19 and the EPC 14 (e.g., sessionmanagement, authorization, security) as shown by the solid arrows inFIG. 1B. In this configuration, the eNBs 19 and 20 may coordinate witheach other through the EPC 14 or communicate directly for radio resourcemanagement as shown by the dashed arrow between the eNBs 19 and 20 inFIG. 1B. For charging, signaling modifications should be minimized withrespect to the existing architecture. The UEs 11 and 12 can in additionexchange control signaling via the ProSe Communication path as shown bythe dashed arrow between the UE 11 and the UE 12 in FIG. 1B.

If network coverage is available for a subset of the UEs, one or morePublic Safety UEs may relay the radio resource management controlinformation for other UEs that do not have network coverage.

If network coverage is not available, the control path can existdirectly between Public Safety UEs. In this configuration, the PublicSafety UEs can rely on pre-configured radio resources to establish andmaintain the ProSe Communication. Alternatively, a Public Safety RadioResource Management Function, which can reside in a Public Safety UE,can manage the allocation of radio resources for Public Safety ProSeCommunication.

FIG. 2 is a schematic view showing an example of the systems whichprovide a method of making a secure communication according to anexemplary embodiment of the present invention. As shown in FIG. 2, asystem 10 includes the UE 11, the UE 12, an E-UTRAN 13, the EPC 14, aProSe Function 15, a ProSe APP Server 16, a ProSe APP 17, and a ProSeAPP 18.

The UE 11 and the UE 12 can communicate through a PC5, the UE 11 and theE-UTRAN 13 communicate through LTE-Uu1, and the UE 12 can communicatewith the E-UTRAN 13 and the ProSe Function 15 through LTE-Uu2 and a PC3,respectively. The EPC 14 and the ProSe Function 15 can communicatethrough a PC4, the ProSe APP server 16 can communicate with the EPC 14and the ProSe APP 18 through a SG1 and a PC1, respectively, and theProSe Function 15 can communicate by itself through a PC6.

As described above, existing keys can be used when using aninfrastructure, i.e., via eNodeB. However, a new solution is needed fordevice-to-device direct discovery and communication; for example, a keycan be sent from the network to communicating parties, a key can becreated between communicating parties, or a similar algorithm fornegotiation can be used directly or via the network. Further, a newsolution is also needed for the security over the unlicensed spectrum.

Two different modes for ProSe Direct Communication one-to-one aresupported:

Network independent direct communication: This mode of operation forProSe Direct Communication does not require any network assistance toauthorize the connection and communication is performed by using onlyfunctionality and information local to the UE. This mode is applicableonly to pre-authorized ProSe-enabled Public Safety UEs, regardless ofwhether the UEs are served by E-UTRAN or not.

Network authorized direct communication: This mode of operation forProSe Direct Communication always requires network assistance and mayalso be applicable when only one UE is “served by E-UTRAN” for Publicsafety UEs. For non-Public Safety UEs both UEs must be “served byE-UTRAN”.

PC1:

It is the reference point between the ProSe application 18 in the UE 12and in the ProSe App Server 16. It is used to define application levelrequirements.

PC2:

It is the reference point between the ProSe App Server 16 and the ProSeFunction 15. It is used to define the interaction between the ProSe AppServer 16 and ProSe functionality provided by the 3GPP EPS via the ProSeFunction 15. One example of use of it may be for application dataupdates for a ProSe database in the ProSe Function 15. Another exampleof use of it may be data for use by the ProSe App Server 16 ininterworking between 3GPP functionality and application data, e.g. nametranslation.

PC3:

It is the reference point between the UE 12 and the ProSe Function 15.It is used to define the interaction between the UE 12 and the ProSeFunction 15. An example of use of it is for configuration for ProSediscovery and communication.

PC4:

It is the reference point between the EPC 14 and the ProSe Function 15.It is used to define the interaction between the EPC 14 and the ProSeFunction 15. Possible use cases of it may be when setting up aone-to-one communication path between UEs or when validating ProSeservices (authorization) for session management or mobility managementin real time.

PC5:

It is the reference point between the UE 11 to the UE 12 used forcontrol and user plane for discovery and communication, for relay andone-to-one communication (between UEs directly and between UEs overLTE-Uu).

PC6:

This reference point may be used for functions such as ProSe Discoverybetween users which are subscribed to different PLMNs.

SGi:

In addition to the relevant functions defined in TS 29.061 [10] via SGi,it may be used for application data and application level controlinformation exchange.

FIG. 3 is a schematic view showing a secure system of an exemplaryembodiment of the present invention. As shown in FIG. 3, a secure system1 of an exemplary embodiment of the present invention includes one ormore requesting UEs L01, an operator network L02, and one or morereceiving UEs L03. A method of performing a secure communicationincludes steps of a secure group management L1, a secure discovery L2,an initial authorization L3, an authentication L4, an authorization L5,a security association establishment L6, a secure communication L7, anda termination L8, which are performed between UEs (the requesting UEL01, the receiving UE L03) with or without interacting with the operatornetwork L02.

Assuming that the network coverage is available for UEs, broadcasting ispresented as an example in this exemplary embodiment, but this exemplaryembodiment also applies to multiple-casting and one-to-onecommunications as shown in FIGS. 1A, 1B, and 2.

From setting up of a group till communication termination, security isneeded in each step as described below. Note that steps L1-L4 can be ina different order depending on the service or application.

L1: Secure Group Management

Members can join securely, members can leave securely, and anauthorization level of service and each of the members, and any otherrequired information can be modified securely.

L2: Secure Discovery should Happen

If discovery is not secured, a device may start communication with awrong party or a rogue device, with the result that masquerading attackscan happen that in turn could lead to fraudulent charging. For thispurpose, the discovery related communication must be secured, i.e., a UEauthenticates identity of other UEs in proximity; integrity protectionfor discovery and a device should be able to authenticate the message.

L3: Initial Authorization

The initial authorization based on secure discovery will lead to thedecision that the discovered device belongs to the group, and thus thenext step can start.

L4: Authentication

Once the device is discovered and authorized as a part of the group,there should be a mutual authentication; otherwise there is still ascope of attacks.

L5: Authorization

The next level of authorization will find out what services can be usedbetween the devices which belong to the same group. For example, a UE isallowed to send and receive different types of messages or is onlyallowed to receive broadcasting messages.

L6: Security Association Establishment (Key Derivation and Management)

The UEs which belong to the same group should have keys to protect theircommunication such that other UEs which do not belong to the group or anattacker cannot eavesdrop or alter the messages.

L7: Secure Communication

The communication between UEs in the same group can be protected by thesecurity association, with integrity and/or confidentiality protectionaccording to the subscription service type.

L8: Termination

The secure termination can provide security when UE(s) suspend orterminate the communication, or when the entire group communication isterminated.

The detailed method of performing a secure communication of an exemplaryembodiment of the invention that fulfills the security requirements willbe explained in the following sections. FIG. 4 is a sequence diagramexplaining a method of making a secure communication between UE 100 andnetwork 200 of an exemplary embodiment of the invention.

[1] Group Setting and Management (L1)

A group can be

(1) two devices communicating with each other (one-to-one), or(2) more than two devices (one-to-many) where one UE can communicatewith the other devices.(3) more than two devices (many-to-many) that can communicate with eachother.

A group can be set up for different communication purposes, and groupmembers can be changed. To form a group, the operator network L02 cancheck the requesting UE L01 which requests the UE L03 which it wants tocommunicate with, verify devices if they can communicate with eachother, and inform the verified devices at both sides (the requesting UEL01 and the receiving UE L03) of the request and formation.

Hereinafter one example of creating a group will be explained. As shownin FIG. 4, a UE 100 requests ProSe subscription to a network 200 andcreates a group (Step 1). In step 1, the UE 100 needs to meetconditions, that is policy, e.g. interest, specific location etc. Alsothe network 200 needs to verify whether UE meets conditions, that ispolicy, e.g. proximity range, subscription, home network in case ofroaming UE, WiFi or not, ProSe enabled, etc. The group is strictlyformed, for example, the members of the group should be registered in awhitelist, or the group is dynamically formed on a request from the UE100, or by the network 200 if the network 200 knows all UE conditions.

For creating a secure group, UEs 100 must agree to be a part of thegroup, and only “agreed” UEs 100 become group members. A groupmanagement includes adding group members, removing group members, endingthe group, and adding temporary group members. Each UE 100 can see whois in proximity from e.g. a social network application, and requests forProSe service, and the ProSe server needs to perform the authorization,but does not have to perform discovery.

[2] Discovery—Secure Detection of UEs in Proximity (L2)

Discovery and group creation in [1] can happen at the same time or beindependent procedure.

There can be following three means that a UE (the requesting UE L01) candiscover other UEs (the receiving UEs L03) in proximity: (1) Broadcastbased, (2) Network based, and (3) Device service level informationbased. How secure discovery can be done will be described as follows.

[2-1] Broadcast Based Solution

There are six ways (s1-s6) in Broadcast based solution:

(s1) Token

The broadcast message can contain a token that only the given UEs canhave. The token should be used only once to prevent the receiving sidefrom reusing it. In order to reach that, the UEs can calculate a tokeneach time on receiving the broadcast message, or the network can informall the UEs of the token to be used next. This can be used for such ause case as an information notification kind of service, since the tokencan be reused by the receiving side.

(s2) Signing Message

The broadcast message can be signed by a key that can be verified eitherby the receiving UEs or by the network for the receiving UEs. Signingcan happen by different key management solutions or it can happen usingthe current keys for communicating with the infrastructure network (orderivation from current keys)—a new key hierarchy might be needed here.

(s3) Message ID

The broadcast message can have an ID that can be verified during theauthentication and is used initially only for authorization.

(s4) Random Value

The broadcast message can contain a random value that can only begenerated by the network and UE. Verification of the random value isdone by the network on behalf of communicating UEs.

(s5) Key

Each UE has a specific key belonging to other devices, and thus it sendsa potentially long broadcast or a new type of broadcast that is sent inpieces with encrypted/integrity protected parts for each UE in thegroup.

(s6) Stamp

The broadcast message can be signed with time-stamp and life-time. Notethat this life-time can be a very short period or can last until thenext broadcast.

[2-2] Network Based Solution

A network can provide information. For this purpose, the network can usethe location information received from the UE (the requesting UE L01),and the location information can be protected by the existing networksecurity mechanism.

[2-3] Device Service Level Information Based Solution

The requesting UE L01 can use location information provided by a socialnetwork or other services. Security can be ensured in an applicationlayer.

Detailed examples of the discovery will be explained. The UE 100 can setfeatures and/or capabilities of Discovery/Discoverable in D2D(device-to-device communication) server.

Case 1A:

If the UE 100 does not know whether the other UEs are in proximity, theUE 100 can request the ProSe server for the ProSe service, and the ProSeserver can send out the request for the ProSe service and meanwhile getthe other UEs location information.

Case 2A:

If the UE 100 can see who is in proximity from e.g. a social networkapplication, and asks for service, the ProSe server needs to perform theauthorization but does not have to perform Discovery.

If the ProSe server performs the authorization, the UEs 100 enable theProSe and/or UEs 100 to be allowed to get given service/communicationmeans.

If the discovery is done based on the proximity of UEs 100, the UE 100sends location information periodically protected by a unicast securitycontext. The network 200 requests location information when needed orperiodically. The request (step 3) can be broadcasted, and thebroadcasted message requires security. The response (step 4) can beprotected by the unicast security context.

The Network stores the conditions for proximity, which can also be givenby the requesting and receiving UE. The network 200 can broadcast to thereceiving UEs in a neighborhood which are allowed to be discovered, andthe UEs respond with protected messages. The UE 100 informs the network200 of its conditions and capabilities at a first communication and/orregistration or when any change happens.

The broadcast based solutions by the network 200 or the UE 100 requireone or more of the following requirements. That is, the receiving sideshould be able to verify the source, the broadcast message should not bere-used, the network 200 which receives the response should be able toverify it, or the response should be discarded if it is too long. The UE100 can use one or more of solutions for performing secure discovery.The solutions include a token, a sign, a message, a message ID, a randomvalue, keys, and stamps. Note that those solutions can be used in thestep 5 (mutually authenticate, the authentication L4), in the step 6(authorize, the authorization L5), and in the step 7 (generate keys andnegotiate algorithm, the secure communication L7), as shown in FIG. 4.The steps 5 to 7 can happen together, and might be related to broadcastsecurity.

[3] Initial Authorization (L3)

The initial authorization varies according to the above discoverysolution.

[3-1] Broadcast Based:

Whether the requesting UE L01 is allowed to communicate with thereceiving UE L03 can be checked by a network or by the receiving UE L03having a proof provided by the network.

[3-2] Network Based:

The requesting UE L01 and the receiving UE L03 can perform a mutualauthentication over the direct wireless interface.

[3-3] Device Service Level Information Based:

The receiving UE L03 checks a list maintained by the user or in a UEamong the members of the group of devices for ProSe service purpose.

[4] Authentication (L4)

Once the requesting UE L01 is identified as belonging to the same group,then authentication takes place. Authentication can be carried outlocally or by interacting with the network.

[4-1] Authentication of the Requesting UE L01:

This can be performed by successful identification of the requesting UEL01 by a network or a UE with a proof from a network.

[4-2] Authentication of the Receiving UE L03:

This can be performed by

[4-2-i] using a key shared between the requesting UE L01 and thereceiving UE L03[4-2-ii] using current network security keys or new keys[4-2-iii] a network which informs the requesting UE L01 of the incomingauthentication request from the receiving UE L03.

[5] Authorization—Service Access Control (L5)

There should be different levels for access control to services that therequesting UE L01 and the receiving UE L03 (hereinafter also referred toas “UE”) can use within the group.

[5-1] UE is allowed to receive and/or send a broadcasting message.[5-2] UE is allowed to receive and/or send multiple messages.[5-3] UE is allowed to receive and/or send a message for one-to-onecommunications.[5-4] UE authorization according to subscription information and thepolicy UE set for ProSe service.

A network can set up and provide the policy to the group membersincluding the requesting UE L01 and the receiving UE L03 according to UEcapabilities and user subscriptions.

The network 200 performs authorization for the UEs 100 want to join thegroup. The group member of UEs 100 verify whether other UEs areauthorized by the network by using the session keys. Another method forperforming validated authorization is done by (1) a network sending anauthorization value to each UE 100, and each UE 100 uses this value toperform authorization for each other, or (2) Yet another method forperforming a validated authorization is done by sending an authorizationvalue from a requesting UE to a receiving UE, and then the receiving UErequests the Network to validate this authorization value and receivingresult.

[6] New Key Hierarchy and Key Management (L6)

A new key hierarchy is presented in this exemplary embodiment of theinvention. Key Kp is a key related to the group and also may related toa ProSe service. It has an indicator KSI_p related to it. Kp can be sentfrom ProSe Server to use.

Keys, Kpc and Kpi are session keys that are derived from Kp at UEs. Kpcis a confidentiality key and Kpi is an integrity protection key. Thesession keys are used for UE to perform authorization for each other,and ProSe communication setup, and have the direct communication betweenthem.

After authorization and authentication, the communicating devicesincluding the requesting UE L01 and the receiving UE L03 can startsessions to communicate with each other. When the requesting UE L01 andthe receiving UE L03 communicate with each other, they should sharecommunication keys. The keys can be a group key, and/or a unique key percommunicating device as well as a session key per each session.

The key can be managed by the network and sent over the securecommunication channel with the network. Alternatively, the key can bemanaged by the requesting UE L01 and sent to other devices including thereceiving UE L03 in the communication, over a secure unicastcommunication channel that can be secured by the network duringauthentication or verification. The key can also be issued by a thirdtrusted party.

The UEs 100 authenticate each other at the beginning of a session (S5).The authentication is linked to authorization (S6). FIGS. 5A to 5C areschematic views showing One-to-one, One-to-many, and Many-to-manysessions, respectively. As shown in FIGS. 5A to 5C, a UEa 21 and a UEa31 indicate the requesting UE L01, and a UEb 22, a UEb 32, a UEc 33 anda UEn_33 n indicate the receiving UE L03.

When the session is started, firstly session keys are generated. In thisexemplary embodiment, the requesting UE L01 (UEa 21, the UEa 31) and thereceiving UE L03 (UEb 22, the UEb 32, the UEc 33, the UEn_33 n) use twokinds of keys including session keys.

Case 1B:

Each group has a key Kp for each service (Kp is served as a service key)and a new session key is created for each session.

Case 2B:

Each group has the key Kp (Kp is served as a group key), and a newsession key is created for each session.

In each case, either the ProSe server or the requesting UE L01 sendskeys. For example, the ProSe server sends the key Kp to the requestingUE L01 and the receiving UE(s) L03, and the requesting UE L01 sends asession key to the receiving UE(s) L03 every session. Alternatively, theProSe server sends both of the key Kp and the session key to therequesting UE L01 and the receiving UE(s) L03, or the requesting UE L01sends both of the key Kp and the session key to the receiving UE(s) L03.

Further, when the group changes if someone leaves or is added, when asession ends or a key times out, or when the ProSe server has made adecision, for example, the key Kp and/or the session key should bechanged.

If the ProSe Server allocates the key Kp to UEs, UEs derive session keysfrom that for authorization and communication. UEs can be pre-configuredwith algorithms for key derivation, or the key Kp is related to a KSI(key set identifier) and a service. Because of them, the securityproblems during UEs' authentication and authorization or the securityproblems of a key for direct communication may be solved.

Note that the key set identifier (KSI) is a number which is associatedwith the cipher and integrity keys derived during the authentication.The key set identifier can be allocated by the network and sent with theauthentication request message to the mobile station where it is storedtogether with a calculated cipher key CK and an integrity key IK. Thepurpose of the key set identifier is to make it possible for the networkto identify the cipher key CK and integrity key IK which are stored inthe mobile station without invoking the authentication procedure. Thisis used to allow re-use of the cipher key CK and integrity key IK duringsubsequent connections (session).

[7] Secure Communication (L7)

Secure communication can provide message transmission availabilitybetween group member UEs, as well as preventing a message from beingeavesdropped on or altered by UEs that do not belong to the group. Alsothe secure communication can prevent UE from using an unauthorizedservice.

The communication within the group should have integrity and/orconfidentiality protection. All the communications can be protected bythe session keys described above, after the security association isestablished.

The security policy can be a negotiation and an agreement within thegroup with or without the support of the operator network L02. All thegroup members should follow the security policy.

Next, the security in the case where UEs' location change happens willbe explained. If none of UEs has a location change, there is no securityissue. Further, if all of the UEs have a changed location, but stayed inproximity to each other, then there is still no security issue.

If a part of UEs (one or more UEs) have moved out of proximity fromother UEs and they do not use the ProSe service, group and securitymanagement need to be updated for the remaining UEs in the group.Alternatively, if one or more UEs have moved out of proximity from theUEs and they want to keep the ProSe service with each other, group andsecurity management need to be updated for the remaining UEs in thegroup, and a new group and security are needed for the traveler.

Note that the ProSe Server should get UE location information from GMLC(Gateway Mobile Location Center) periodically, to compare and computethe location differences of all UEs.

[8] Termination (L8)

When the communication is to be suspended, devices should remove thesession key while keeping information of the authentication andauthorization.

When the communication is to be terminated, the devices can keep historyinformation, or the allocated token with a lifetime for the next usetime to prevent signaling for authentication and authorization again.

Smooth handover from an infrastructure to a direct mode will requirecreation of a key between communicating parties (the requesting UE L01and the receiving UE L03) before a handover happens. For example, ifcommunicating parties are using WiFi, a key should be allocated to WiFiAP and UEs. The WiFi AP and UEs should authorize and authenticate eachother. The key should have a limited life-time. A network can recognizewhich WiFi AP the UE can communicate with. UEs can find that there is aWiFi AP nearby and the network verifies the WiFi AP. UEs authenticatewith the ProSe Server when UEs connect to a WiFi AP. One option is thatthe ProSe Function can allocate keys for the UEs to communicate with aProSe APP Server.

To summarize the above description, the method of making a securecommunication of an exemplary embodiment includes the followingfeatures:

(1) The operator network L02 determines whether the requesting UE L01can communicate with the receiving UE L03 requested by the requesting UEL01.(2) Security in discovery of UEs in proximity can be provided by using atoken, a key, and signing provided by the network.(3) Security in discovery of UEs in proximity can be provided by using alocation provided by the operator network L02.(4) Security in discovery of UEs in proximity can be provided by usinglocation information provided by social network services, with securityprovided in an application layer.(5) Authorization of the devices can be performed by the network or bydevices direct verification.(6) Mutual authentication between the requesting UE L01 and thereceiving UEs that agreed to be in the group L03 can be carried out bythe network and also both UEs can be informed with the result.(7) Mutual authentication between the requesting UE L01 and thereceiving UEs L03 can be carried out by both ends with a key sharedthere between.(8) New keys for securing the ProSe communication which are a group keyand a unique session key can be used.(9) Security policy in a group for secure communication is negotiatedand set.(10) Termination management can be performed to prevent the same keysfrom being used and set up a security context for other communication.

According to the secure system of an exemplary embodiment, the operatornetwork L02 can determine the receiving UE(s) L03 with which therequesting UE L01 can communicate, and can ensure secure discovery byeither providing security parameters to the requesting UE L01 orreceiving UE L03, and providing location information of the receiving UEL03 to the requesting UE L01. Furthermore, the operator network L02 canperform authentication and authorization for the requesting UE L01 andreceiving UE L03, and can support security association between UEs tosecure ProSe communication.

[9] A Detailed Method of Performing the Group Management L1

Next, a more detailed method of performing the group management L1 willbe explained. As described above, the ProSe server is a network elementas agreed in 3GPP SA2#97 to NPL2. In Proximity-based services, thesubscription data of a user/UE indicates whether a UE is ProSe enabled,and if it is so, the subscription data also indicates the UE's ProSecapability which:

1) can discover other UEs;2) can be discovered by other UEs; or3) satisfies both of 1) and 2).

The subscription data is stored in a ProSe server that interacts withother network elements such as HSS. According to an operator policy, thesubscription data can also be retrieved from HSS.

The UE can set a trigger event for being discovered and/or discoveringand register its policy profile in the ProSe server. The ProSe servercan indicate a UE or discard it accordingly, when there is a ProSeservice request to the UE. The trigger events can be:

1) On location: when it goes somewhere to receive information, such as,coupons.2) VIP member: when the given UE is nearby; and

3) Time etc.

Upon receiving a ProSe Service Request from a UE, the ProSe servershould verify the following, before initiating the Discovery procedure.

1) Whether the requesting UE and the receiving UE are both ProSe enabledUEs, and they have subscribed ProSe service,2) Whether the requesting UE is allowed for discovering service,3) Whether the receiving UEs are ProSe enabled UEs and allowed to bediscovered, or4) Whether the UEs are allowed to have the requested service andcommunication.

After the verification, the ProSe server informs the requesting UE ofthe received request and pending. The ProSe server should performDiscovery described above. The ProSe server can request network supportfor those procedures. The ProSe server informs the result of Discovery,containing a list of accepted UEs, allowed services, allowedcommunication means, and any other necessary parameters.

The requesting UE can automatically be the group manager if there isnone and start to perform authentication, authorization, and securityassociation establishment in the group. There are two cases:

Case 1C: The requesting UE wants to communicate with some UEs but doesnot know if they are nearby and/or available,Case 2C: The requesting UE using some application which shows that thereare some UEs nearby selects some UEs to have ProSe with.

Here, details of the procedure in each case will be described asfollows. Note that the UEs can be subscribed to the same ProSe server ordifferent ones.

[[Case 1C]]: A UE does not have Knowledge Whether the Receiving UEs arein Proximity.

FIG. 6 is a flow chart showing a method of performing the groupmanagement of a Case 1C of an exemplary embodiment. As shown in FIG. 6,the system includes the UEa 21 serving as a requesting UE, the UEb 22serving as a receiving UE, a ProSe server 24, and an HSS 25. The methodincludes the following nine steps SP1 to SP9.

SP1: The ProSe server 24 stores subscription data of UEs.SP2: The requesting UE 21 sends the ProSe Service Request to the ProSeserver 24, containing a requesting UE ID, a list of receiving UE IDs, arequest service type, a request communication type, an optionally groupID if the group has been formed before or the requesting UE wishes toname the group ID, and an optionally range.SP3: The ProSe server 24 can interact with the HSS 25 for authenticationinformation of UE if needed.SP4: The ProSe server 24 performs verification on the requesting andreceiving UEs 21 and 22.SP5: The ProSe server 24 sends a ProSe Service ACK to the requesting UE21, containing a status of pending.SP6: The ProSe server 24 performs Discovery procedure.SP7: After the Discovery procedure, the ProSe server 24 sends the ProSeService Result to the requesting UE 21, with the group ID, the acceptedUEs, the allowed service type, the allowed communication type, and thesecurity parameters (optional).SP8: The ProSe server 24 can also send the same ProSe Service Result tothe receiving UEs 22.SP9: Once the requesting and receiving UEs 21 and 22 know the allowedgroup members, the group security establishment can be started.[[Case 2C]]: A UE Recognizes that Some Other UEs are Nearby.

In this case 2C, assuming that a subscriber runs an application thatshows which UEs are in proximity. The subscriber can choose with whichUEs it wants to have the ProSe service. Thus, the Discovery procedure isnot needed. The ProSe server 24 will verify whether the requesting UE 21can have the ProSe service with the receiving UEs 22 in the same waydescribed in Case 1C.

To summarize the above description, the method of performing a securegroup management of an exemplary embodiment includes the followingfeatures:

(1) The ProSe server is configured with subscription data of UEs,containing UE capability of ProSe service, information of UEs which canhave the ProSe service, and the policy set by the UEs;(2) The ProSe server performs authorization on the requesting UE, toverify: whether it can have requested the ProSe service with thecommunication type, and whether the requesting UE can have the ProSeservice with the given receiving UEs;(3) The ProSe server performs authorization on the receiving UEs, toverify whether they can have the ProSe service with the requesting UE;(4) A UE can set the event trigger for discovering and being discoveredwith network authorization;(5) The ProSe server sends a ProSe Service Ack to the requesting UE witha status of pending; and(6) The ProSe server sends the ProSe Service Result to the requesting UEand also the receiving UE, with a group ID, accepted UEs, an allowedservice type and a communication type, and security parameters (option).

According to the secure system of an exemplary embodiment of theinvention, a network controls whether the requesting and receiving UEscan have ProSe service with each other. The requesting UE can selectreceiving UEs with which the requesting UE wants to have the ProSeservice, and requests a network to perform authorization. Furthermore,the requesting and receiving UEs can set an event trigger fordiscovering and being discovered, such that it can have a customizedsetting.

This software can be stored in various types of non-transitory computerreadable media and thereby supplied to computers. The non-transitorycomputer readable media includes various types of tangible storagemedia. Examples of the non-transitory computer readable media include amagnetic recording medium (such as a flexible disk, a magnetic tape, anda hard disk drive), a magneto-optic recording medium (such as amagneto-optic disk), a CD-ROM (Read Only Memory), a CD-R, and a CD-R/W,and a semiconductor memory (such as a mask ROM, a PROM (ProgrammableROM), an EPROM (Erasable PROM), a flash ROM, and a RAM (Random AccessMemory)). Further, the program can be supplied to computers by usingvarious types of transitory computer readable media. Examples of thetransitory computer readable media include an electrical signal, anoptical signal, and an electromagnetic wave. The transitory computerreadable media can be used to supply programs to computer through a wirecommunication path such as an electrical wire and an optical fiber, orwireless communication path.

This application is based upon and claims the benefit of priority fromJapanese Patent Application No. 2013137291, filed on Jun. 28, 2013, thedisclosure of which is incorporated herein in its entirety by reference.

REFERENCE SIGNS LIST

-   1 secure system-   10 system-   11 UE-   12 UE-   13 E-UTRAN-   14 EPC-   15 ProSe Function-   16 ProSe APP Server-   17 ProSe APP-   18 ProSe APP-   19 eNB-   20 eNB-   21 UEa-   22 UEb-   24 ProSe Server-   25 HSS-   31 UEa-   32 UEb-   33 UEc-   33 n UEn-   100 UE-   100 a system-   100 b system-   200 network-   L01 requesting UE-   L02 operator network-   L03 receiving UE-   L1 secure group management-   L2 secure discovery-   L3 initial authorization-   L4 authentication-   L5 authorization-   L6 security association establishment-   L7 secure communication-   L8 termination

1. A first server for group management in a mobile communication system,the first server comprising: a processor; and a memory having storedthereon a set of instructions executable by the processor, wherein, uponexecution of the set of instructions, the processor causes the firstserver to: receive, from a first user equipment (UE), a request messageincluding a first identification (ID) of the first UE, a list of secondIDs of a plurality of second UEs, and first information about a requestservice, perform verification of one or more of the plurality of secondUEs, send a verification result and a group ID of a group of UEs to thefirst UE, and send the group ID to the one or more of the plurality ofsecond UEs.
 2. The first server according to claim 1, wherein therequest message includes second information about a requestcommunication.
 3. The first server according to claim 1, wherein thefirst server sends third information about the first UE and theplurality of second UEs to a second server.
 4. The first serveraccording to claim 1, wherein the request message is used to create thegroup of UEs.
 5. A method of a first server for group management in amobile communication system, the method comprising: receiving, from afirst user equipment (UE), a request message including a firstidentification (ID) of the first UE, a list of second IDs of a pluralityof second UEs, and first information about a request service; performingverification of one or more of the plurality of second UEs; sending averification result and a group ID of a group of UEs to the first UE;and sending the group ID to the one or more of the plurality of secondUEs.
 6. The method according to claim 5, wherein the request messageincludes second information about a request communication.
 7. The methodaccording to claim 5, wherein the first server sends third informationabout the first UE and the plurality of second UEs to a second server.8. The method according to claim 5, wherein the request message is usedto create the group of UEs.
 9. A first user equipment (UE) in a mobilecommunication system including a first server for group management, thefirst UE comprising: a processor; and a memory having stored thereon aset of instructions executable by the processor, wherein upon executionof the instructions the processor causes the first UE to: send, to thefirst server, a request message including a first identification (ID) ofthe first UE, a list of second IDs of a plurality of second UEs, andfirst information about a request service, and receive a verificationresult and a group ID of a group of UEs from the first server, whereinone or more of the plurality of second UEs receive the group ID from thefirst server.
 10. The first UE according to claim 9, wherein the requestmessage includes second information about a request communication. 11.The first UE according to claim 9, wherein the first server sends thirdinformation about the first UE and the plurality of second UEs to asecond server.
 12. The first UE according to claim 9, wherein therequest message is used to create the group of UEs.
 13. A method of afirst user equipment (UE) in a mobile communication system including afirst server for group management, the method comprising: sending, tothe first server, a request message including a first identification(ID) of the first UE, a list of second IDs of a plurality of second UEs,and first information about a request service; and receiving averification result and a group ID of a group of UEs from the firstserver, wherein one or more of the plurality of second UEs receive thegroup ID from the first server.
 14. The method according to claim 13,wherein the request message includes second information about a requestcommunication.
 15. The method according to claim 13, wherein the firstserver sends third information about the first UE and the plurality ofsecond UEs to a second server.
 16. The method according to claim 13,wherein the request message is used to create the group of UEs.